Microsoft offers up to $20,000 in Xbox bug bounty

Xbox controller

Microsoft is no stranger to using bug bounty programs to track down security problems and other issues with its software and services. Now the company has launched an Xbox bug bounty program, offering payouts of up to $20,000 to anyone finding vulnerabilities.

The particular aim of this bounty program is to find issues with the Xbox Live network and services. Microsoft says the amounts it will pay gamers and security researchers who report problems will depend on the severity and impact of the vulnerability, as well as the quality of the submission.


See also:

The average gamer is unlikely to unearth issues with Xbox Live that will suddenly make them twenty grand richer. Microsoft is placing a strong emphasis on the quality of reporting, demonstration of a proof of concept, and so on.

Microsoft explains the bounty program:

The Xbox Bounty Program invites gamers, security researchers, and others around the world to help identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.

Although Microsoft says that the lowest payout is $500, in an explanatory table, it shows the figure being $1,000:

Security Impact


Report Quality


Critical Important Moderate Low
Remote Code Execution High $20,000 $15,000 N/A N/A
Medium $15,000 $10,000
Low $10,000 $5,000
Elevation of Privilege High $ 8,000 $5,000 $0 N/A
Medium $ 4,000 $2,000
Low $ 3,000 $1,000
Security Feature Bypass High N/A $5,000 $0 N/A
Medium $2,000
Low $1,000
Information Disclosure High N/A $5,000 $0 $0
Medium $2,000
Low $1,000
Spoofing High N/A $5,000 $0 $0
Medium $2,000
Low $1,000
Tampering High N/A $5,000 $0 $0
Medium $2,000
Low $1,000
Denial of Service High/Low Out of Scope

It is interesting to see that things such as DoS vulnerabilities and critical severity security feature bypasses are not eligible for payments as part of this program.

Full details of the rules and eligibility for the bounty program can be found here.

Image credit: TheInnerProduct / Shutterstock

Comments are closed.

© 1998-2021 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.